Users may log into virtual machines (VMs) in a computer system, including in a cloud computing system. When a VM is ordered from a public cloud provider, it is usually setup with a single account (e.g., “root”) that has access to the VM. Users that would like to access this VM would usually receive the shared account credentials (usually a secure shell key, or SSH key) from the cloud provider and use it to log into the VM. This approach introduces some security risks due to insufficient control of the shared credentials and a lack of accountability.
If local user accounts are created for each user to increase accountability, management of the local user accounts can become burdensome. The local user accounts need to be created and maintained, and mechanisms need to be put in place for password authentication and management. This may be unreasonably burdensome for many of the actions users may regularly perform.
Other solutions may involve logging into a general server and requesting root privileges or using a password vault. The password vault system rotates the shared account credentials based on time and usage. In order to log into the VM, a user would first need to retrieve the VM credentials from the password vault. This adds accountability and control to the process. However, the limitation with such solutions is that it requires the user to change their regular work processes. Instead of directly accessing the target VM, they need to pass through the password vault in order to retrieve extra credentials. In addition, the need to go through the password vault may not be related to the type of work that the user would like to perform on the VM. Also, the credentials to the system may have to be changed frequently because the identity may be based on the fact that only one user at a time knows the vault password.